search

aws / aws-iot-device-sdk-js-v2

Next generation AWS IoT Client SDK for Node.js using the AWS Common Runtime
Apache License 2.0
214 stars 96 forks source link

npm audit - 2 vulnerabilities found - Severity: 2 high #517

Closed abarke closed 1 week ago

abarke commented 1 month ago

Describe the bug

Need to update dependencies. 

$ pnpm audit
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ ws affected by a DoS when handling a request with many │
│                     │ HTTP headers                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ws                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.17.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.17.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > aws-iot-device-sdk-v2@1.20.0 > aws-crt@1.21.2 >    │
│                     │ @httptoolkit/websocket-stream@6.0.1 >                  │
│                     │ isomorphic-ws@4.0.1 > ws@8.17.0                        │
│                     │                                                        │
│                     │ . > aws-iot-device-sdk-v2@1.20.0 > aws-crt@1.21.2 >    │
│                     │ @httptoolkit/websocket-stream@6.0.1 > ws@8.17.0        │
│                     │                                                        │
│                     │ . > nuxt@3.11.2 > @nuxt/devtools@1.3.2 > ws@8.17.0     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3h5v-q93c-6h6q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ ws affected by a DoS when handling a request with many │
│                     │ HTTP headers                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ws                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.5.10                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.10                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > aws-iot-device-sdk-v2@1.20.0 > aws-crt@1.21.2 >    │
│                     │ mqtt@4.3.8 > ws@7.5.9                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3h5v-q93c-6h6q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 2 high

Expected Behavior

No vulnerabilities found

Current Behavior

2 vulnerabilities found Severity: 2 high

Reproduction Steps

npm audit

Possible Solution

I found a solution to the first dependency by simply adding this to package.json:

{
  "dependencies": {
    "ws": "^8.17.1"
  }
}

However the second vulnerability requires that mqtt@4.3.8 library is updated to mqtt@>=5.7.2 Ref to "ws": "^8.17.1": https://github.com/mqttjs/MQTT.js/blob/v5.7.2/package.json#L127

That means that https://www.npmjs.com/package/aws-crt must also update to mqtt@>=5.7.2 being a major change.

Additional Information/Context

No response

SDK version used

v1.20.0

Environment details (OS name and version, etc.)

Windows 11

jmklix commented 1 month ago

Thanks for pointing this out to us. It is currently not an issue for anyone using this sdk, as security vulnerabilities don't affect any of the functions used by this sdk. We will leave this issue open for when we update to the latest ws version.

abarke commented 1 month ago

[like] Alexander Barker reacted to your message:

From: Joseph Klix @.> Sent: Monday, July 22, 2024 10:57:35 PM To: aws/aws-iot-device-sdk-js-v2 @.> Cc: Alexander Barker @.>; Author @.> Subject: Re: [aws/aws-iot-device-sdk-js-v2] npm audit - 2 vulnerabilities found - Severity: 2 high (Issue #517)

Thanks for pointing this out to us. It is currently not an issue for anyone using this sdk, as security vulnerabilities don't affect any of the functions used by this sdk. We will leave this issue open for when we update to the latest ws version.

— Reply to this email directly, view it on GitHubhttps://github.com/aws/aws-iot-device-sdk-js-v2/issues/517#issuecomment-2243949254, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AII3PFNMRDXJNWSVCD6KX6TZNWE57AVCNFSM6AAAAABK7CAHXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBTHE2DSMRVGQ. You are receiving this because you authored the thread.Message ID: @.***>

bretambrose commented 1 week ago

This should be addressed in the v1.21.0 release.

github-actions[bot] commented 1 week ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.